News Archives

Wednesday, July 22, 2015

FTC Highlights Role of Non-Technical Employees in Data Breaches

On June 30, the Federal Trade Commission published Start with Security: A Guide for Business, a brochure which summarizes lessons learned from the 50+ settlements the FTC has reached with companies accused of unfair and deceptive practices with respect to the protection of customer data. The Guide is structured into what the FTC describes as ten common-sense lessons that apply to businesses of all sizes:

Start with security

Control access to data sensibly

Require secure passwords and authentication

Store sensitive personal information securely and protect it during transmission

Put procedures in place to keep your security current and address vulnerabilities as they arise

Secure paper, physical media, and devices.

Each lesson is illustrated with practices in named companies that deviate from these prescriptions, and not surprisingly, the role of non-technical employees in security breaches is mentioned often in these examples: Eight security lapses are identified:

Accretive: (a) used real people’s personal information in employee training sessions, and then failed to remove the information from employees’ computers after the sessions were over; and (b) an employee left a laptop containing more than 600 files, with 20 million pieces of information related to 23,000 patients, in the locked passenger compartment of a car, which was then stolen.

Goal Financial: (a) failed to restrict employee access to personal information stored in paper files and on its network; as a result, employees transferred more than 7,000 consumer files containing sensitive information to third parties without authorization; and (b) an employee sold surplus hard drives that contained the sensitive personal information of approximately 34,000 customers in clear text.

Twitter: (a) granted almost all of its employees administrative control over Twitter’s system, including the ability to reset user account passwords, view users’ nonpublic tweets, and send tweets on users’ behalf; (b) let employees use common dictionary words as administrative passwords, as well as passwords they were already using for other accounts; (c) failed to establish policies that prohibited employees from storing administrative passwords in plain text in personal email accounts

CBR Systems: backup tapes, a laptop, and an external hard drive – all of which contained sensitive information – that were lifted from an employee’s car.

To be sure, most of the examples of weak security practices cited in the Guide relate to actions taken or not taken by technical employees or their managers. While HR staff should certainly advocate for the correction of technical lapses they are aware of, they should insist upon adequate data security policies and training for practices that vest responsibility in the general employee population. A key part of HR's mission should be to help employees be productive and avoid harming both their own careers and the company through obviously imprudent handling of personal information.